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Foreword 



This Technical Specification has been produced by the 3GPP. 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of this TS, it will be re-released by the TSG with an identifying 
change of release date and an increase in version number as follows: 

Version 3.y.z 

where: 

3 the first digit: 

3 Indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the specification. 
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Scope 



This technical specification defines how elements of the 3G-security architecture are to be integrated into the following 
entities of the system architecture. 

Home Environment Authentication Centre (HE/AuC) 

- Serving Network Visited Location Register (VLR/SGSN) 

- Radio Network Controller (RNC) 

- Mobile station User Identity Module (UIM) 

- Mobile Equipment (ME) 

This specification is derived from 3G "Security architecture". [1] 

The structure of this technical specification is a series of tables, which describe the security information and 
cryptographic functions to be stored in the above entities of the 3G system. 

For security information, this is in terms of multiplicity, lifetime, parameter length and whether mandatory or optional. 

For the cryptographic functions, the tables also include an indication of whether the implementation needs to be 
standardised or can be proprietary. 

The equivalent information for the alternative Temporary Key proposal is included in an appendix to this document. 



References 



The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication, edition number, version number, etc.) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. 

[1] 3G TS 33.102: "3rd Generation Partnership Project; Technical Specification Group Services and 

System Aspects; 3G Security; 3G Security Architecture". 



3 Definitions, symbols and abbreviations 

3.1 Definitions 

For the purposes of the present document, the following definitions apply: 

Authentication vector: either a quintet or a triplet. 

Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities 
or processes. 

Data integrity: The property that data has not been altered in an unauthorised manner. 

Data origin authentication: The corroboration that the source of data received is as claimed. 

Entity authentication: The provision of assurance of the claimed identity of an entity. 
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GSM Entity authentication and key agreement: Entity authentication according to GSM 03.20. 

GSM security context: a state that is established between a user and a serving network domain usually as a result of 
the execution of GSM AKA. At both ends "GSM security context data" is stored, that consists at least of the GSM 
cipher key Kc and the cipher key sequence number CKSN. 

GSM subscriber: a mobile station that consists of user equipment with a SIM inserted. 

Key freshness: A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused through actions 
of either an adversary or authorised party. 

Mobile station, user: the combination of user equipment and a user access module. 

Quintet, UMTS authentication vector: temporary authentication data that enables an MSC/VLR or SGSN to engage 
in UMTS AKA with a particular user. A quintet consists of five elements: a) a network challenge RAND, b) an 
expected user response XRES, c) a cipher key CK, d) an integrity key IK and e) a network authentication token AUTN. 

SIM - GSM Subscriber Identity Module. In a security context, this module is responsible for performing GSM 
subscriber authentication and key agreement. This module is not capable of handling UMTS authentication nor storing 
UMTS style keys. 

Temporary authentication data: either UMTS or GSM security context data or UMTS or GSM authentication 
vectors. 

Triplet, GSM authentication vector: temporary authentication data that enables an MSC/VLR or SGSN to engage in 
GSM AKA with a particular user. A triplet consists of three elements: a) a network challenge RAND, b) an expected 
user response SRES and c) a cipher key Kc. 

User access module: either a USIM or a SIM 

USIM - User Services Identity Module. In a security context, this module is responsible for performing UMTS 
subscriber and network authentication and key agreement. It should also be capable of performing GSM authentication 
and key agreement to enable the subscriber to roam easily into a GSM Radio Access Network. 

UMTS Entity authentication and key agreement: Entity authentication according to this specification. 

UMTS security context: a state that is established between a user and a serving network domain as a result of the 
execution of UMTS AKA. At both ends "UMTS security context data" is stored, that consists at least of the UMTS 
cipher/integrity keys CK and IK and the key set identifier KSI. 

UMTS subscriber: a mobile station that consists of user equipment with a USIM inserted. 

3.2 Symbols 

For the purposes of the present document, the following symbols apply: 

II Concatenation 

© Exclusive or 

fl Message authentication function used to compute MAC 

f 1 * Message authentication function used to compute MAC-S 

f2 Message authentication function used to compute RES and XRES 

G Key generating function used to compute CK 

f4 Key generating function used to compute IK 

f5 Key generating function used to compute AK 

f6 Encryption function used to encrypt the IMSI 

f7 Decryption function used to decrypt the IMSI (=f6 _1 ) 

f8 Integrity algorithm 

f9 Confidentiality algorithm 

flO Deriving function used to compute TEMSI 

K Long-term secret key shared between the USIM and the AuC 
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3.3 Abbreviations 

For the purposes of the present document, the following abbreviations apply: 



AK Anonymity Key 

AKA Authentication and key agreement 

AMF Authentication management field 

AUTN Authentication Token 

AV Authentication Vector 

CK Cipher Key 

CKSN Cipher key sequence number 

CS Circuit Switched 

D SK(X )(data) Decryption of "data" with Secret Key of X used for signing 

E KSX Y(i)(data) Encryption of "data" with Symmetric Session Key #i for sending data from X to Y 

E PK ( X )(data) Encryption of "data" with Public Key of X used for encryption 

EMSI Encrypted Mobile Subscriber Identity 

EMSIN Encrypted MSIN 

Hash(data) The result of applying a collision-resistant one-way hash-function to "data" 

HE Home Environment 

HLR Home Location Register 

IK Integrity Key 

IMSI International Mobile Subscriber Identity 

IV Initialisation Vector 

KAC X Key Administration Centre of Network X 

KS X y(i) Symmetric Session Key #i for sending data from X to Y 

KSI Key Set Identifier 

KSS Key Stream Segment 

LAI Location Area Identity 

MAP Mobile Application Part 

MAC Message Authentication Code 

MAC-A The message authentication code included in AUTN, computed using f 1 

MS Mobile Station 

MSC Mobile Services Switching Centre 

MSIN Mobile Station Identity Number 

MT Mobile Termination 

NE X Network Element of Network X 

PS Packet Switched 

P-TMSI Packet-TMSI 

Q Quintet, UMTS authentication vector 

RAI Routing Area Identifier 

RAND Random challenge 

RND X Unpredictable Random Value generated by X 

SQN Sequence number 

SQN UIC Sequence number user for enhanced user identity confidentiality 

SQNhe Sequence number counter maintained in the HLR/AuC 

SQN M s Sequence number counter maintained in the USIM 

SGSN Serving GPRS Support Node 

SIM (GSM) Subscriber Identity Module 

SN Serving Network 

T Triplet, GSM authentication vector 

TE Terminal Equipment 

TEMSI Temporary Encrypted Mobile Subscriber Identity used for paging instead of IMSI 

Textl Optional Data Field 

Text2 Optional Data Field 

Text3 Public Key algorithm identifier and Public Key Version Number (eventually included in Public 

Key Certificate) 

TMSI Temporary Mobile Subscriber Identity 

TTP Trusted Third Party 

UE User equipment 

UEA UMTS Encryption Algorithm 

UIA UMTS Integrity Algorithm 
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UIDN User Identity Decryption Node 

USIM User Services Identity Module 

VLR Visitor Location Register 

X Network Identifier 

XEMSI Extended Encrypted Mobile Subscriber Identity 

XRES Expected Response 

Y Network Identifier 



Access link security 



4.1 Functional network architecture 




Figure 1 shows the functional security architecture of UMTS. 




Figure 1 : UMTS functional security architecture 

The vertical bars represent the network elements: 
In the user domain: 

USIM (User Service Identity Module): an access module issued by a HE to a user; 
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UE (User Equipment); 

In the serving network (SN) domain: 

RNC (Radio Network Controller); 

VLR (Visited Location Register), also the SGSN; 

In the home environment (HE) domain: 

HLR/AuC; 

UIDN. 

The horizontal lines represent the security mechanisms: 

EUIC: mechanism for enhanced user identity confidentiality (optional, between user and HE); 

UIC: conventional mechanism for user identity confidentiality (between user and serving network); 

AKA: the mechanism for authentication and key agreement, including the functionality to trigger a re- 
authentication by the user, i.e., to control the access key pair lifetime; 

DC: the mechanism for data confidentiality of user and signalling data; 

DI: the mechanism for data integrity of signalling data; 

DEC: the mechanism for network-wide data confidentiality. 

In the remaining section of this specification we describe what data elements and functions need to be implemented in 
each of the above network elements for each of the above mechanisms and functions. 

4.2 User services identity module 

4.2.1 Enhanced User Identity Confidentiality (EUICusim) 

For UMTS users with EUIC, the USIM has to store additional data and have additional functions implemented to 
encrypt the permanent user identity (IMSI). We describe the requirements as regards data storage and algorithm 
implementation for an example mechanism in annex B of 3G TS 33.102. 

The following data elements need to be stored on the USIM: 

a) SQN UIC : a counter that is equal to the highest SQN UIC generated and sent by the USIM to the HE/UIDN; 

b) GK: the group key used to encrypt the MSIN and SQNui C ; 

c) GI: a group identifier that identifies the group the user refers to as well as the GK; 

d) TEMSI: a temporary identity used for paging instead of IMSI; 
d) UIDN_ADR: address of UIDN according to E.164. 
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Table 1 : USIM - Enhanced User Identity Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / Optional 


GK 


Group key 


1 per user group the 
user belongs to 


Permanent 


128 bits 
(Notel) 


Optional 


SQNuic 


Counter 


1 per user 


Updated when 
protocol for EUIC is 
executed 


32 bits 


Optional 


Gl 


Group Identity 


1 per user 


Permanent 


32 bits 


Optional 


TEMSI 


Temporary 
identity used for 
paging instead 
of IMSI 


1 per user 


Updated when a new 
identity request has 
been performed 


As per 
IMSI 


Optional 


UIDN_ADR 


Address of 
UIDN according 
to E. 164 


1 per user 


Permanent 


15 digits 


Optional 



NOTE 1 : The table entry is for the example secret key mechanism given in annex B of 33.102 
The following cryptographic functions need to be implemented in the USIM: 
f6: the user identity encryption function; 
- flO: TEMSI calculation function. 
For a summary of the data elements and cryptographic function of the EUIC H e function see table 2. 

Table 2: USIM- Enhanced User Identity Confidentiality - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


f6 


User identity encryption 
function 


1 


Permanent 


Proprietary 


Optional 


no 


TEMSI calculation 
function 


1 


Permanent 


Proprietary 


Optional 



4.2.2 Authentication and key agreement (AKAusim) 

The USIM shall support the UMTS mechanism for authentication and key agreement described in 6.3 of 3G TS 33. 102. 
The following data elements need to be stored on the USIM: 

a) K: a permanent secret key; 

b) SQN MS : a counter that is equal to the highest sequence number SQN in an AUTN parameter accepted by the 
user; 

c) RANDms: the random challenge which was received together with the last AUTN parameter accepted by the 
user. It is used to calculate the re-synchronisation message together with the highest accepted sequence number 

(SQNms); 

d) KSI: key set identifier; 

e) THRESHOLD c : a threshold defined by the HE to trigger re-authentication and to control the cipher key lifetime; 

f) CK The access link cipher key established as part of authentication; 

g) IK The access link integrity key established as part of authentication; 

h) HFN M s: Stored Hyper Frame Number provides the Initialisation value for most significant part of COUNT-C and 
COUNT-I. The least significant part is obtained from the RRC sequence number; 

i) AMF: A 16-bit field used Authentication Management. The use and format are unspecified in the architecture 
but examples are given in an informative annex; 



ETSI 



3G TS 33.103 version 3.2.0 Release 1999 



11 



ETSI TS 133 103 V3.2.0 (2000-03) 



j) The GSM authentication parameter and GSM cipher key derived from the UMTS to GSM conversion functions. 
Table 3 provides an overview of the data elements stored on the USIM to support authentication and key agreement. 

Table 3: USIM - Authentication and key agreement - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


K 


Permanent secret 
key 


1 (notel) 


Permanent 


128 bits 


Mandatory 


SQNms 


Sequence number 
counter 


1 


Updated when 
AKA protocol is 
executed 


32-64 bits 


Mandatory 


WINDOW (option 
1) 


accepted sequence 
number array 


1 


Updated when 
AKA protocol is 
executed 


10 to 100 bits 


Optional 


LIST 
(option 2) 


Ordered list of 
sequence numbers 
received 


1 


Updated when 
AKA protocol is 
executed 


32-64 bits 


Optional 


RANDms 


Random challenge 
received by the 
user. 


1 


Updated when 
AKA protocol is 
executed 


128 bits 


Mandatory 


KSI 


Key set identifier 


1 


Updated when 
AKA protocol is 
executed 


3 bits 


Mandatory 


THRESHOLDc 


Threshold value for 
ciphering 


1 


Permanent 


32 bits 


Optional 


CK 


Cipher key 


1 


Updated when 
AKA protocol is 
executed 


128 bits 


Mandatory 


IK 


Integrity key 


1 


Updated when 
AKA protocol is 
executed 


128 bits 


Mandatory 


HFNmS: 


Initialisation value 
for most significant 
part for COUNT-C 
and forCOUNT-l 


1 


Updated when 
connection is 
released 


25 bits 


Mandatory 


AMF 


Authentication 
Management Field 
(indicates the 
algorithm and key 
in use) 


1 


Updated when 
AKA protocol is 
executed 


16 bits 


Mandatory 


RANDg 


GSM 

authentication 
parameter from 
conversion function 


1 


Updated when 
GSM AKA or 
UMTS AKA 
protocol is 
executed 


As for GSM 


Optional 


SRES 


GSM 

authentication 
parameter from 
conversion function 


1 


Updated when 
GSM AKA or 
UMTS AKA 
protocol is 
executed 


As for GSM 


Optional 


Kc 


GSM cipher Key 


1 


Updated when 
GSM AKA or 
UMTS AKA 
protocol is 
executed 


As for GSM 


Optional 



NOTE 1 : HE policy may dictate more than one, the active key signalled using the AMF function. 
The following cryptographic functions need to be implemented on the USIM: 

fl: a message authentication function for network authentication; 

fl*: a message authentication function for support to re-synchronisation; 

f2: a message authentication function for user authentication; 
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f3: a key generating function to derive the cipher key; 
f4: a key generating function to derive the integrity key; 
f5: a key generating function to derive the anonymity key; 

- c2: Conversion function for interoperation with GSM from XRES (UMTS) to SRES (GSM); 

- c3: Conversion function for interoperation with GSM from Ck and IK (UMTS) to Kc (GSM). 

Figure 2 provides an overview of the data integrity, data origin authentication and verification of the freshness by the 
USIM of the RAND and AUTN parameters received from the VLR/SGSN, and the derivation of the response RES, the 
cipher key CK and the integrity key IK. Note that the anonymity Key (AK) is optional. 



RAND 



f5 

T 

AK 



SQN e AK 

A. 



© 



SQN 



AUTN 



AMF 



MAC 



fl 



XMAC 



f2 



RES 



f3 



CK 



f4 



i r ^r ^ 



IK 



Verify MAC = XMAC 



Verify SQN > SQNhe 



Figure 2: User authentication function in the USIM 

Figure 3 provides an overview of the generation in the USIM of a token for re-synchronisation AUTS. 

a) The USIM computes MAC-S = fl* K (SQN M s II RAND II AMF*), whereby AMF* is a default value for AMF 
used in re-synchronisation. 

b) If SQN MS is to be concealed with an anonymity key AK, the USIM computes AK = f5 K (MAC-S HO.. .0), 
whereby MAC-S forms the 12 most significant octets and 32 zeros form the 4 least significant octets of the 
required 16 octet input parameter, and the concealed counter value is then computed as SQN M s © AK. 

c) The re-synchronisation token is constructed as AUTS = SQN MS [© AK] II MAC-S. 

Upon receipt of an indication of synchronisation failure and a (AUTS, RAND) pair, the HLR/AuC may perform the 
following cryptographic functions: 

a) If SQNms is concealed with an anonymity key AK, the HLR/AuC computes AK = f5 K (MAC-S 110.. .0), whereby 
MAC-S forms the 12 most significant octets and 32 zeros form the 4 least significant octets of the required 16 
octet input parameter and retrieves the unconcealed counter value as SQN MS = (SQN MS © AK) xor AK. 

b) If SQN generated from SQN HE would not be acceptable, then the HLR/AuC computes XMAC-S = f 1 * K (SQN MS 
II RAND II AMF*), whereby AMF* is a default value for AMF used in re-synchronisation. 
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SQN 



MS ■ 

AMF* 
RAND H 



K 



fi* 



MAC-S 



AK 



St""" 
t 
SQN MS e AK 



AUTS = SQNms [© AK] II MAC-S 



Figure 3: Generation of a token for re-synchronisation AUTS (note 1) 

NOTE 1: The lengths of AUTS and MAC-S are specified in table 22. 

Table 4 provides a summary of the cryptographic functions implemented on the USIM to support authentication and 
key agreement. 

Table 4: USIM - Authentication and key agreement - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


f1 


Network authentication 
function 




Permanent 


Proprietary 


Mandatory 


f1* 


Message authentication 
function for 
synchronisation 




Permanent 


Proprietary 


Mandatory 


f2 


User authentication 
function 




Permanent 


Proprietary 


Mandatory 


f3 


Cipher key generating 
function 




Permanent 


Proprietary 


Mandatory 


f4 


Integrity key generating 
function 




Permanent 


Proprietary 


Mandatory 


f5 


Anonymity key 
generating function 




Permanent 


Proprietary 


Optional 


c2 and c3 


Conversion functions 
for interoperation with 
GSM 


1 of each 


Permanent 


Standard 


Optional 



4.3 User equipment 

4.3.1 User identity confidentiality (UICue) 



The UE shall support the UMTS conventional mechanism for user identity confidentiality described in 6.1 of 3G TS 

33.102. 

The UE shall store the following data elements: 

TMUI-CS: a temporary identity allocated by the CS core network; 
LAI: a location area identifier; 

the TMUI-PS: a temporary identity allocated by the PS core network; 
the RAI: a routing area identifier 
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Table 5: UE - User Identity Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


TMUI-CS 


Temporary user 
identity 


1 per user 


Updated when 
TMUI allocation 
protocol is executed 
by CS core network 


As per GSM TMSI 


Mandatory 


LAI 


Location area 
identity 


1 per user 


Updated when 
TMUI allocation 
protocol is executed 
by CS core network 




Mandatory 


TMUI-PS 


Temporary user 
identity 


1 per user 


Updated when 
TMUI allocation 
protocol is executed 
by PS core network 




Mandatory 


RAI 


Routing area 
identity 


1 per user 


Updated when 
TMUI allocation 
protocol is executed 
by PS core network 




Mandatory 



4.3.2 Data confidentiality (DC UE ) 



The UE shall support the UMTS mechanism for confidentiality of user and signalling data described in 6.6 of 3G TS 

33.102. 

The UE shall store the following data elements: 

a) UEA-MS: the ciphering capabilities of the UE; 

b) CK: the cipher key; 

c) UEA: the selected ciphering function; 
In addition, when in dedicated mode: 

d) COUNT-Cup: a time varying parameter for synchronisation of ciphering for the uplink; 

e) COUNT-Cdown: a time varying parameter for synchronisation of ciphering for the downlink; 

f) BEARER: a logical channel identifier; 

g) DIRECTION: An indication of the direction of transmission uplink or downlink to ensure a different cipher is 
applied. 

Table 6 provides an overview of the data elements stored on the UE to support the mechanism for data confidentiality: 
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Table 6: UE - Data Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


UEA-MS 


Ciphering 
capabilities of the 
UE 


1 perUE 


Permanent 


16 bits 


Mandatory 


CK 


Cipher key 


1 per mode 


Updated at 
execution of AKA 
protocol 


128 bits 


Mandatory 


UEA 


Selected ciphering 
capability 


1 perUE 


Updated at 
connection 
establishment 


4 bits 


Mandatory 


count-Cup 


Time varying 
parameter for 
synchronisation of 
ciphering 


1 per logical 
channel 


Lifetime of a logical 
channel 


32 bits 


Mandatory 


COUNT-C DOWN 


Time varying 
parameter for 
synchronisation of 
ciphering 


1 per logical 
channel 


Lifetime of a logical 
channel 


32 bits 


Mandatory 


BEARER 


Logical channel 
identifier 


1 per logical 
channel 


Lifetime of a logical 
channel 


8 bits 


Mandatory 


DIRECTION 


An indication of the 
direction of 
transmission uplink 
or downlink 


1 per logical 
channel 


Lifetime of a logical 
channel 


1 bit 


Mandatory 



The following cryptographic functions shall be implemented on the UE: 

f8: access link encryption function (note 1). 

- c4: Conversion function for interoperation with GSM from Kc (GSM) to CK (UMTS). 

NOTE 1: The security architecture TS 33.102 refers to UEA , f8 is a specific implementation of UEA as defined in 
Cryptographic algorithm requirements TS 33.105. 

Table 7 provides an overview of the cryptographic functions implemented on the UE to support the mechanism for data 
confidentiality. 

Table 7: UE - Data Confidentiality - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


f8 


Access link encryption 
function 


1-16 


Permanent 


Standardised 


One at least is 
mandatory 


c4 


Conversion function for 
interoperation with GSM 


1 


Permanent 


Standardised 


Optional 



4.3.3 Data integrity (DI UE ) 



The UE shall support the UMTS mechanism for integrity of signalling data described in 6.4 of 3G TS 33.102. 
The UE shall store the following data elements: 

a) UIA-MS: the integrity capabilities of the UE. 
In addition, when in dedicated mode: 

b) UIA: the selected UMTS integrity algorithm; 

c) IK: an integrity key; 

d) COUNT-I UP : a time varying parameter for synchronisation of data integrity in the uplink direction; 
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e) COUNT-I D own: a time varying parameter for synchronisation of data integrity in the downlink direction; 

f) DIRECTION An indication of the direction of transmission uplink or downlink to ensure a different cipher is 
applied; 

g) FRESH: a network challenge; 

Table 8 provides an overview of the data elements stored on the UE to support the mechanism for data confidentiality: 

Table 8: UE - Data Integrity - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


UIA-MS 


Ciphering 
capabilities of the 
UE 


1 per UE 


Permanent 


1 6 bits 


Mandatory 


UIA 


Selected ciphering 
capability 


1 per UE 


Updated at 
connection 
establishment 


4 bits 


Mandatory 


IK 


Integrity key 


1 per mode 


Updated by the 
execution of the 
AKA protocol 


128 bits 


Mandatory 


DIRECTION 


An indication of the 
direction of 
transmission uplink 
or downlink 


1 per logical 
channel 


Lifetime of a logical 
channel 


1 bit 


Mandatory 


COUNT-Iup 


Synchronisation 
value 


1 


Lifetime of a 
connection 


32 bits 


Mandatory 


COUNT-Idown 


Synchronisation 
value 


1 


Lifetime of a 
connection 


32 bits 


Mandatory 


FRESH 


Network challenge 


1 


Lifetime of a 
connection 


32 bits 


Mandatory 


MAC-I 
XMAC-I 


Message 
authentication code 


1 


Updated by the 
execution of the 
AKA protocol 


32 bits 


Mandatory 



The following cryptographic functions shall be implemented on the UE: 

f9: access link integrity function (note 1). 

- c5: Conversion function for interoperation with GSM Kc (GSM) > IK (UMTS) 

NOTE 1: The security architecture TS 33.102 refers to UIA, f9 is a specific implementation of UIA as defined in 
Cryptographic algorithm requirements TS 33.105. 

Table 9 provides an overview of the cryptographic functions implemented in the UE: 

Table 9: UE - Data Integrity - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


f9 


Access link data 
integrity function 


1-16 


Permanent 


Standardised 


One at least is 
mandatory 


c5 


Conversion function for 
interoperation with GSM 


1 


Permanent 


Standardised 


Optional 
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4.3.4 Enhanced user identity confidentiality (EUICue) 

The UE shall support the UMTS mechanism for enhanced user identity confidentiality described in 6.2 of 3G TS 

33.102. 

The UE shall store the following data elements: 

- the TEMSI: a temporary identity used for paging instead of IMSI. 

Table 9a: UE - User Identity Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


TEMSI 


Temporary identity 
used for paging 
instead of IMSI 


1 per user 


Updated when a 
new identity request 
has been performed 


As per IMSI 


Optional 



4.4 



Radio network controller 



4.4.1 Data confidentiality (DC rnc ) 



The RNC shall support the UMTS mechanism for data confidentiality of user and signalling data described in 6.6 of 3G 
TS 33.102. 

The RNC shall store the following data elements: 

a) UEA-RNC: the ciphering capabilities of the RNC; 
In addition, when in dedicated mode: 

b) UEA: the selected ciphering function; 

c) CK: the cipher key; 

d) COUNT-C UP : a time varying parameter for synchronisation of ciphering for the uplink; 

e) COUNT-Cdown: a time varying parameter for synchronisation of ciphering for the downlink; 

f) DIRECTION: An indication of the direction of transmission uplink or downlink to ensure a different cipher is 
applied 

g) BEARER: a logical channel identifier. 

Table 10 provides an overview of the data elements stored in the RNC to support the mechanism for data 
confidentiality: 
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Table 10: RNC - Data Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


UEA-RNC 


Ciphering 
capabilities of the 
UE 


1 


Permanent 


1 6 bits 


Mandatory 


UEA 


Selected ciphering 
capability 


1 per user and 
per mode 


Updated at 
connection 
establishment 


4 bits 


Mandatory 


CK 


Cipher key 


1 per user and per 
mode 


Updated at 
connection 
establishment 


128 bits 


Mandatory 


count-Cup 


Time varying 
parameter for 
synchronisation of 
ciphering 


1 per logical 
channel 


Lifetime of a logical 
channel 


32 bits 


Mandatory 


COUNT-C DOWN 


Time varying 
parameter for 
synchronisation of 
ciphering 


1 per logical 
channel 


Lifetime of a logical 
channel 


32 bits 


Mandatory 


BEARER 


Logical channel 
identifier 


1 per logical 
channel 


Lifetime of a logical 
channel 


8 bits 


Mandatory 


DIRECTION 


An indication of the 
direction of 
transmission uplink 
or downlink 


1 per logical 
channel 


Lifetime of a logical 
channel 


1 bit 


Mandatory 



The following cryptographic functions shall be implemented in the RNC: 

f8: access link encryption function. 
Table 1 1 provides an overview of the cryptographic functions that shall be implemented in the RNC: 

Table! 1 : RNC - Data integrity - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


f9 


Access link data 
integrity function 


1-16 


Permanent 


Standardised 


One at least is 
mandatory 



4.4.2 Data integrity (Dl rnc ) 

The RNC shall support the UMTS mechanism for data integrity of signalling data described in 6.4 of 3G TS 33. 102. 
The RNC shall store the following data elements: 

a) UIA-RNC: the integrity capabilities of the RNC; 
In addition, when in dedicated mode: 

b) UIA: the selected UMTS integrity algorithm; 

c) IK: an integrity key; 

d) COUNT-I UP : a time varying parameter for synchronisation of data integrity in the uplink direction; 

e) COUNT-I D own: a time varying parameter for synchronisation of data integrity in the downlink direction; 

f) DIRECTION An indication of the direction of transmission uplink or downlink to ensure a different cipher is 
applied; 

g) FRESH: an MS challenge. 
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Table 12 provides an overview of the data elements stored on the UE to support the mechanism for data confidentiality: 

Table12: UE - Data Integrity - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


UIA-RNC 


Data integrity 
capabilities of the 
RNC 


1 


Permanent 


1 6 bits 


Mandatory 


UIA 


Selected data 
integrity capability 


1 per user 


Lifetime of a 
connection 


4 bits 


Mandatory 


IK 


Integrity key 


1 per user 


Lifetime of a 
connection 


128 bits 


Mandatory 


DIRECTION 


An indication of the 
direction of 
transmission uplink 
or downlink 


1 per logical 
channel 


Lifetime of a logical 
channel 


1 bit 


Mandatory 


COUNT-Iup 


Synchronisation 
value 


1 


Lifetime of a 
connection 


32 bits 


Mandatory 


COUNT-Idown 


Synchronisation 
value 


1 


Lifetime of a 
connection 


32 bits 


Mandatory 


FRESH 


MS challenge 


1 


Lifetime of a 
connection 


32 bits 


Mandatory 


MAC-I 
XMAC-I 


Message 
authentication code 


1 


Updated by the 
execution of the 
AKA protocol 


32 bits 


Mandatory 



The following cryptographic functions shall be implemented on the UE: 

f9: access link integrity function. 
Table 13 provides an overview of the cryptographic functions implemented in the UE: 

Table 13: UE - Data Integrity - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


f9 


Access link data 
integrity function 


1-16 


Permanent 


Standardised 


One at least is 
mandatory 



4.5 SN (or MSC/VLR or SGSN) 
4.5.1 User identity confidentiality (UICsn) 

The VLR (equivalently the SGSN) shall support the UMTS conventional mechanism for user identity confidentiality 
described in 6.1 of 3G TS 33.102. 

The VLR shall store the following data elements: 

TMUI-CS: a temporary identity allocated by the CS core network; 

LAI: a location area identifier; 
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Table 14: VLR - User Identity Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / Optional 


TMUI-CS 


Temporary user identity 


2 per user 


Updated when TMUI 
allocation protocol is 
executed by CS core 
network 




Mandatory 


LAI 


Location area identity 


2 per user 


Updated when TMUI 
allocation protocol is 
executed by CS core 
network 




Mandatory 



Equivalently, the SGSN shall store the following data elements: 

TMUI-PS: a temporary identity allocated by the PS core network; 
RAI: a routing area identifier. 

Table 15: SGSN - User Identity Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / Optional 


TMUI-PS 


Temporary user identity 


1 per user 


Updated when TMUI 
allocation protocol is 
executed by PS core 
network 




Mandatory 


RAI 


Routing area identity 


1 per user 


Updated when TMUI 
allocation protocol is 
executed by PS core 
network 




Mandatory 



4.5.2 Enhanced user identity confidentiality (EUICsn) 

The VLR (equivalently the SGSN) shall support the UMTS mechanism for enhanced user identity confidentiality 
described in 6.2 of 3G TS 33.102. 

The VLR shall store the following data elements: 

the TEMSI: a temporary identity used for paging instead of IMSI. 

Table 15a: VLR - User Identity Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / Optional 


TEMSI 


Temporary identity used 
for paging instead of 
IMSI 


1 per user 


Updated when a new 
identity request has been 
performed 


As per 
IMSI 


Optional 



Equivalently, the SGSN shall store the following data elements: 

the TEMSI: a temporary identity used for paging instead of IMSI. 

Table 15b: SGSN - User Identity Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / Optional 


TEMSI 


Temporary identity used 
for paging instead of 
IMSI 


1 per user 


Updated when a new 
identity request has been 
performed 


As per 
IMSI 


Optional 
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4.5.3 Authentication and key agreement ( AKA SN ) 

The VLR (equivalently the SGSN) shall support the UMTS mechanism for authentication and key agreement described 
in 6.3 of3GTS 33.102. 

The following data elements need to be stored in the VLR (and SGSN): 

a) AV: Authentication vectors; 

Table 16 provides an overview of the composition of an authentication vector 

Table 16: Composition of an authentication vector 



Symbol 


Description 


Multiplicity 


Length 


RAND 


Network challenge 


1 


128 


XRES 


Expected response 


1 


32-128 


CK 


Cipher key 


1 


128 


IK 


Integrity key 


1 


128 


AUTN 


Authentication token 


1 that consists of: 


112-144 


SQN 

or 

SQN AK 


Sequence number 

or 

Concealed sequence number 


1 per AUTN 


32-64 


AMF 


Authentication Management Field 


1 per AUTN 


16 


MAC-A 


Message authentication code for network authentication 


1 per AUTN 


64 



b) KSI: Key set identifier; 

c) CK: Cipher key; 

d) IK: Integrity key; 

e) GSM AV: Authentication vectors for GSM. 

Table 17 provides an overview of the data elements stored in the VLR/SGSN to support authentication and key 
agreement. 

Table 17: VLR/SGSN - Authentication and key agreement - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


UMTS AV 


UMTS 

Authentication 

vectors 


several per user, 
SN dependent 


Depends on many 
things 


528-656 


Mandatory 


KSI 


Key set identifier 


1 per user 


Updated when AKA 
protocol is executed 


3 bits 


Mandatory 


CK 


Cipher key 


1 per user 


Updated when AKA 
protocol is executed 


128 bits 


Mandatory 


IK 


Integrity key 


1 per user 


Updated when AKA 
protocol is executed 


128 bits 


Mandatory 


GSMAV 


GSM Authentication 
vectors 


As for GSM 


As for GSM 


As for GSM 


Optional 



The following cryptographic functions shall be implemented in the VLR/SGSN: 

- c4: Conversion function for interoperation with GSM from Kc (GSM) to CK (UMTS); 

- c5: Conversion function for interoperation with GSM from Kc (GSM) to IK (UMTS). 

Table 18 provides an overview of the cryptographic functions implemented on the UE to support the mechanism for 
data confidentiality. 
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Table 18: VLR/SGSN Authentication and Key Agreement - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


c4 


Conversion function for 
interoperation with GSM 


1 


Permanent 


Standardised 


Optional 


c5 


Conversion function for 
interoperation with GSM 


1 


Permanent 


Standardised 


Optional 



4.6 Home location register / Authentication centre 
4.6.1 Authentication and key agreement (AKA he ) 

The HLR/AuC shall support the UMTS mechanism for authentication and key agreement described in 6.3 of 3G TS 

33.102. 

The following data elements need to be stored in the HLR/AuC: 

a) K: a permanent secret key; 

b) SQN HE : a counter used to generate SQN from; 

c) AV: authentication vectors computed in advance; 

Table 19 provides an overview of the data elements stored on the HLR/AuC to support authentication and key 
agreement. 

Table 19: HLR/AuC - Authentication and key agreement - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


K 


Permanent secret 
key 


1 


Permanent 


128 bits 


Mandatory 


SQNhe 


Sequence number 
counter 


1 


Updated when AVs 
are generated 


32-64 bits 


Mandatory 


UMTS AV 


UMTS 

Authentication 

vectors 


HE option 


Updated when AVs 
are generated 


544-640 bits 


Optional 


GSMAV 


GSM Authentication 
vectors 


HE option that 
consists of: 


Updated when AVs 
are generated 


As GSM 


Optional 


RAND 


GSM Random 
challenge 






128 bits 


Optional 


SRES 


GSM Expected 
response 






32 bits 


Optional 


Kc 


GSM cipher key 






64 bits 


Optional 



Table 20 shows how the construction of authentication token for synchronisation failure messages used to support 
authentication and key agreement. 

Table 20: Composition of an authentication token for synchronisation failure messages 



Symbol 


Description 


Multiplicity 


Length 


AUTS 


Synchronisation Failure authentication token 


that consists of: 


96-128 


SQN 


Sequence number 


1 per AUTS 


32-64 


MAC-S 


Message authentication code for Synchronisation 
Failure messages 


1 per AUTS 


64 



Figure 4 provides an overview of how authentication vectors are generated in the HLR/AuC. 
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SQN AMF 



fl 



T 



Generate SQN 



l'2 



i'3 



MAC 
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CK 
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^ 



i'4 



I J J 



IK 



RAND 



i'5 



T 



AK 



AUTN := SQN AK II AMF II MAC 



AV :=RAND II XRES II CK II IK IIAUTN 



Figure 4: Generation of an authentication vector 

The following cryptographic functions need to be implemented in the HLR/AuC: 
fl: a message authentication function for network authentication; 
fl*: a message authentication function for support to re-synchronisation; 
f2: a message authentication function for user authentication; 
f3: a key generating function to derive the cipher key; 
f4: a key generating function to derive the integrity key; 
f5: a key generating function to derive the anonymity key; 

- cl: Conversion function for interoperation with GSM from RAND (UMTS) > RAND (GSM); 

- c2: Conversion function for interoperation with GSM from XRES (UMTS) to SRES (GSM); 

- c3: Conversion function for interoperation with GSM from CK and IK (UMTS) to Kc (GSM). 

Table 21 provides a summary of the cryptographic functions implemented on the USIM to support authentication and 
key agreement. 
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Table 21 : HLR/AuC - Authentication and key agreement - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


f1 


Network authentication 
function 




Permanent 


Proprietary 


Mandatory 


f1* 


Message authentication 
function for 
synchronisation 




Permanent 


Proprietary 


Mandatory 


f2 


User authentication 
function 




Permanent 


Proprietary 


Mandatory 


f3 


Cipher key generating 
function 




Permanent 


Proprietary 


Mandatory 


f4 


Integrity key generating 
function 




Permanent 


Proprietary 


Mandatory 


f5 


Anonymity key 
generating function 




Permanent 


Proprietary 


Optional 


A3/A8 


GSM user 
authentication functions 




Permanent 


Proprietary 


Optional 


c1 , c2 and 
c3 


Functions for 
converting UMTS AV's 
to GSM AV's 


1 for each 


Permanent 


Standard 


Optional 



4.7 Enhanced user identity confidentiality (EUIChe) 

For UMTS users with EUIC, the UIDN has to store additional data and have additional function implemented to decrypt 
the permanent user identity (IMSI) and to calculate the paging identity TEMSI to be used instead of IMSI. We describe 
the requirements as regards data storage and algorithm implementation for the example mechanism in annex B of 3G 

TS 33.102. 

The following data elements need to be stored on the UIDN: 

a) GK: the group key used to decrypt the IMSI and SQN UIC ; 

b) GI: a group identifier that identifies the group the user refers to as well as the GK; 

c) TEMSI: a temporary identity used for paging instead of IMSI; 

d) IMSI: the IMSI of the user the feature is applied to. 

Table 21a: UIDN - Enhanced User Identity Confidentiality - Data elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


GK 


Group key 


1 per user group 


Permanent 


128 


Optional 


GI 


Group Identity 


1 per user 


Permanent 


32 bits 


Optional 


TEMSI 


Temporary 
identity used for 
paging instead of 
IMSI 


1 per user 


Updated when a 
new identity 
request has been 
performed 


As per IMSI 


Optional 


IMSI 


IMSI 


1 per user 


Permanent 


64 bits 


Optional 



The following cryptographic functions need to be implemented in UIDN: 
f7: the user identity decryption function. 
- flO: TEMSI calculation function. 
For a summary of the data elements and cryptographic function of the EUIChe function see table 2. 
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Table 21b: UIDN - Enhanced User Identity Confidentiality - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / 
Optional 


f7 


User identity 

decryption 

function 


1 


Permanent 


Proprietary 


Optional 


no 


TEMSI 

calculation 

function 


1 


Permanent 


Proprietary 


Optional 





5 Provider domain security 

5.1 Functional security architecture 



Layer I 



Network X 



Network Y 



KAC X 



Session Key KS> 



Key Distribution Complete 



KACy 



Layer II 



Session Key KS> 



Session Key KS X y 



Layer III 




- (data) 




Figure 5: Overview of Proposed Mechanism 

This mechanism establishes a secure signalling links between network nodes, in particular between VLR/SGSNs and 
HE/AuCs. Such procedures may be incorporated into the roaming agreement establishment process. 

A secret key transport mechanism based on an asymmetric crypto-system i used to agree on a symmetric session key for 
each direction of communication between two networks X and Y. 

The party wishing to send sensitive data initiates the mechanism and chooses the symmetric session key it wishes to use 
for sending the data to the other party. The other party shall choose a symmetric session key of its own, used for 
sending data in the other direction. This second key shall be transported immediately after the first key has been 
successfully transported. The session symmetric keys are protected by asymmetric techniques. They are exchanged 
between certain elements called the Key Administration Centres (KACs) of the network operators X and Y. 
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Transport of Session Keys 

In order to establish a symmetric session key with version no. i to be used for sending data from X to Y, the KACx 
sends a message containing the following data to the KACy: 

EpK(Y){X||Y||i||KSxY(i)||RND x ||Text1||D S K(x)(Ha5/7(X||Y[|i||KSxY(i)||RND x ||Text1))||Text2}||Text3 ~ 

After having successfully distributed the symmetric session key received by network X to its own network entities, 
network Y sends to X a Key Distribution Complete Message. This is an indication to KACx to start with the distribution 
of the key to its own entities, which can then start to use the key immediately. 

The message takes the form 

KEY_DIST_COMPLETE||Y||X||i||RNDY||DsK(Y)(Has/?^KEY_DIST_COMPLETEllY||X|li||RND Y ) 

where i indicates the distributed key and RND Y is a random number generated by Y. The digital signature is appended 
for integrity and authenticity purposes. Y includes RND Y to make sure that the message contents determined by X will 
be modified before signing. 

Since most of the signalling messages to be secured are bidirectional in character, immediately after successful 
completion the procedure described here shall be repeated, now with Y choosing a key KSyx(i) to be used in the reverse 
direction, and X being the receiving party. Thereby keys for both directions are established. 



5.2 Key Authentication Centre 

Details in security architecture to be finalised 



ETSI 



3G TS 33.103 version 3.2.0 Release 1999 



27 



ETSI TS 133 103 V3.2.0 (2000-03) 



5.3 Core network entities 



Table 22: Signalling Protection- Data Elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / 
Optional 


PVTKs 


Network's own 
Private Key ( 
signing) 




According to 
roaming agreement 


< or = 2048 bits 


Mandatory 


PVTKd 


Network's own 
Private Key 
(decryption) 




According to 
roaming agreement 


< or = 2048 bits 


Mandatory 


PUBKvi 


PKRi Public Key 
for network #1 
(verify) 


1 per roaming 
agreement 


According to 
roaming agreement 


< or = 2048 bits 


Mandatory 


PUBKei 


PKRi Public Key 
for network #1 
(encryption) 


1 per roaming 
agreement 


According to 
roaming agreement 


< or = 2048 bits 


Mandatory 


KSxv(i) 


Symmetric Send 
Key #i for sending 
data from X to Y 


1 per session 


According to 
roaming agreement 


128 bits 


Mandatory 


KSyx (j) 


Symmetric Send 
Key #j for sending 
data from Y to X 


1 per session 


According to 
roaming agreement 


128 bits 


Mandatory 


1 


Session key 
Sequence Number 
(for sending data 
from X to Y) 


1 per session 


According to 
roaming agreement 


32 - 64 bits 


Mandatory 


J 


Session key 
Sequence Number 
(for sending data 
from Y to X) 


1 per session 


According to 
roaming agreement 


32 - 64 bits 


Mandatory 


RNDx 


Unpredictable 
Random Value 
generated by X 


1 per session 


Session 


128 bits 


Mandatory 


RNDy 


Unpredictable 
Random Value 
generated by Y 


1 per session 


Session 


128 bits 


Mandatory 



Table 23: Signalling Protection -Cryptographic Functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


BEANO 


Block Encryption 
Algorithm for Network 
Operators 


1 


Permanent 


Standardised 


Mandatory 



Network Wide Confidentiality 



Network- wide confidentiality is an option, which provides a protected mode of transmission on user traffic channels 
across the entire network. This gives users assurance that their traffic is protected against eavesdropping on every link 
within the network, i.e. not just the particularly vulnerable radio links in the access network, but also on the fixed links 
within the core network. 

Network- wide confidentiality is provided by protecting transmissions on user traffic channels, using a synchronous 
stream cipher. This uses the same algorithm as for access link encryption. 
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The key management scheme for network-wide encryption involves establishing a network-wide cipher key between 
the end points of the traffic channel. In addition to the access link cipher and integrity keys, the USIM and the 
MSC/VLR or equivalent SGSN also establish a network- wide cipher key component ECKC as part of the 
authentication and key agreement procedure. This key component will be used to generate the network-wide cipher key 
ECK. 

Since this ECK can also be generated by MSC/VLRa or MSC/VLRb and then used by decryption facilities in the core 
network, the requirement for lawful interception is satisfied. 

1) MSC/VLRa and MSC/VLRb shall exchange network-wide cipher keys components for UEa and UEb. - 
MSC/VLRa passes ECKCb to UEa, while MSC/VLRb passes ECKCa to UEb. 

2) At each end the access link key is transmitted to the UE over signalling channels which are protected using the 
access link cipher keys CK. 

3) When each UE has received the other party's network- wide cipher key component, the network- wide cipher key 
ECK shall be calculated as a function of ECKCa and ECKCb. 



MSC/ 
VLRa 



ECKC h 



RNCa 



ECK= 



UEa 



f(ECKCa,ECKCb) 



ECKCa 



ECKCb 



MSC/ 
VLRb 



ECKC 



RNCb 



UEb 



ECK= 
f(ECKCa,ECKCb) 



User traffic links protected by network-wide encryption 
Signalling links protected by link encryption 



Table 24: MSC/VLR Network Wide Confidentiality - Data Elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / Optional 


ECKC 


Network-wide cipher 
key component for UE 


1 per user 


Updated when AKA 
protocol is executed 


128 bits 


Optional 


ECKCpeer 


Network-wide cipher 
key component for peer 
UE 


1 per user 


Updated when AKA 
protocol is executed 


128 bits 


Optional 


ECK 


the network-wide cipher 
key 


1 per user 


When required for 
Lawful Interception 
purposes 


128 bits 


Optional 
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Table 25: UE Network Wide Confidentiality - Data Elements 



Symbol 


Description 


Multiplicity 


Lifetime 


Length 


Mandatory / Optional 


ECKC 


Network-wide cipher 
key component for UE 


1 per user 


Updated when network 
wide traffic channel is 
established 


128 bits 


Optional 


ECKCpeer 


network-wide cipher key 
component for peer UE 


1 per user 


Updated when network 
wide traffic channel is 
established 


128 bits 


Optional 


ECK 


the network-wide cipher 
key 


1 per user 


Updated when network 
wide traffic channel is 
established 


128 bits 


Optional 



Table 26: UE Network Wide Confidentiality - Cryptographic functions 



Symbol 


Description 


Multiplicity 


Lifetime 


Standardised / 
Proprietary 


Mandatory / Optional 


f9 


Network-wide user 
traffic confidentiality 
Algorithm 


1 


Permanent 


Standardised 


Mandatory 
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